From: Geliang Tang <geliang@kernel.org>
To: Tao Cui <cuitao@kylinos.cn>,
matttbe@kernel.org, martineau@kernel.org, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com
Cc: horms@kernel.org, mptcp@lists.linux.dev
Subject: Re: [PATCH mptcp-next 1/2] mptcp: pm: fix use-after-free in mptcp_userspace_pm_delete_local_addr
Date: Thu, 14 May 2026 11:07:43 +0800 [thread overview]
Message-ID: <de6caab069a04d0c968a5f3a59c0c2753f4d9147.camel@kernel.org> (raw)
In-Reply-To: <20260509075629.217791-1-cuitao@kylinos.cn>
Hi Tao,
Thanks for this set. It looks like the cover letter of this set is
missing. You can use "--cover-letter" to create it:
git format-patch -2 --cover-letter
sashiko adds some comments here, please address them in v2:
https://sashiko.dev/#/patchset/20260509075629.217791-2-cuitao@kylinos.cn
On Sat, 2026-05-09 at 15:56 +0800, Tao Cui wrote:
> mptcp_userspace_pm_delete_local_addr() calls list_del_rcu() followed
> immediately by sock_kfree_s(), which frees the entry synchronously
> without waiting for an RCU grace period. A concurrent RCU read-side
> lookup (e.g. via mptcp_userspace_pm_get_local_id) could still be
> accessing the freed entry.
>
> Fix it by replacing sock_kfree_s() with kfree_rcu_mightsleep() and
> adjusting sk_omem_alloc manually, matching the pattern already used
> in mptcp_pm_nl_remove_doit() in the same file.
>
> Signed-off-by: Tao Cui <cuitao@kylinos.cn>
> ---
> net/mptcp/pm_userspace.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/net/mptcp/pm_userspace.c b/net/mptcp/pm_userspace.c
> index 8cbc1920afb4..586e19e9b913 100644
> --- a/net/mptcp/pm_userspace.c
> +++ b/net/mptcp/pm_userspace.c
> @@ -109,7 +109,11 @@ static int
> mptcp_userspace_pm_delete_local_addr(struct mptcp_sock *msk,
> * be used multiple times (e.g. fullmesh mode).
> */
> list_del_rcu(&entry->list);
> - sock_kfree_s(sk, entry, sizeof(*entry));
> + kfree_rcu_mightsleep(entry);
mptcp_userspace_pm_delete_local_addr is invoked under the pm lock, so
using kfree_rcu_mightsleep is not a good idea.
Also, this mptcp_userspace_pm_delete_local_addr helper is removed in
the set [1] under review, so it's better to keep this sock_kfree_s
unchanged.
[1]
https://patchwork.kernel.org/project/mptcp/patch/e2c1bd781cdd4a7a0233305c0cc5cd12e36ec31c.1776466833.git.tanggeliang@kylinos.cn/
> + /* Adjust sk_omem_alloc like sock_kfree_s() does, to match
> + * with allocation of this memory by sock_kmemdup()
> + */
> + atomic_sub(sizeof(*entry), &sk->sk_omem_alloc);
> msk->pm.local_addr_used--;
> return 0;
> }
next prev parent reply other threads:[~2026-05-14 3:08 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-09 7:56 [PATCH mptcp-next 1/2] mptcp: pm: fix use-after-free in mptcp_userspace_pm_delete_local_addr Tao Cui
2026-05-09 7:56 ` [PATCH mptcp-next 2/2] mptcp: pm: fix extra_subflows u8 underflow in userspace PM Tao Cui
2026-05-09 12:04 ` MPTCP CI
2026-05-14 3:17 ` Geliang Tang
2026-05-14 3:07 ` Geliang Tang [this message]
2026-05-15 2:46 ` [PATCH mptcp-next 1/2] mptcp: pm: fix use-after-free in mptcp_userspace_pm_delete_local_addr Matthieu Baerts
-- strict thread matches above, loose matches on Subject: below --
2026-05-09 7:54 Tao Cui
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=de6caab069a04d0c968a5f3a59c0c2753f4d9147.camel@kernel.org \
--to=geliang@kernel.org \
--cc=cuitao@kylinos.cn \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=martineau@kernel.org \
--cc=matttbe@kernel.org \
--cc=mptcp@lists.linux.dev \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.